Peer practices: Checklist & security clauses for 3rd-party contracts

What contractual elements do you need to think of when working with 3rd parties?

The legal provisions in your contracts with 3rd-parties ensure the definition, understanding, discussion and safeguarding of everyone’s responsibilities. What elements do your peers find ‘non-negotiable’ in order to work with a 3rd party?

The checklist shared by the Beltug member brings together the requirements the organisation wants to have in its contracts, and deals with specifications around:

• Data and data confidentiality; e.g., data centres in the EU;
• Financials and IP; e.g., 60 days end of month payment terms;
• Legal and Liability; e.g., under Belgian law;
• Marketing, privacy and quality of service; e.g., agreement on clear SLAs;
• Scope, security and terms & termination; e.g., escrow procedure in case of end of contract.

What specific security clauses could your organisation use?

Safeguarding sensitive data and systems from potential breaches and cyber threats is critical to maintain trust and protect all stakeholders. When it comes to security and 3rd parties, legislation such as the NIS2 increases the importance of security requirements when dealing with 3rd parties. Entities falling within the scope of the legislation will be obliged to ensure the security of their suppliers.

The devil is in the details, so covering all aspects is important. You will find security clauses related to scope, confidentiality and deletion, IT security measures, right to audit, subcontractors and data protection. These clauses were inspired by the ISO 27001:2013 framework for the technical and organisational IT security measures.

The policies are available for Beltug members, after login.